Cisco Fixes WebEx Bugs Allowing ‘Ghost’ Attackers In Meetings

Cisco has fixed today three Webex Meetings security vulnerabilities that would have allowed unauthenticated remote attackers to join ongoing meetings as ghost participants.

Cisco Webex is an online meeting and video conferencing software that can be used to schedule and join meetings. It also provides users with presentation, screen sharing, and recording capabilities.

Cisco’s remote meetings platform has seen a 451% usage increase over four months due to the current COVID-19 pandemic, with roughly 4 million meetings being hosted in a single day for 324 million users at its peak.

Ghost attackers in your Webex meeting

Threat actors abusing the now patched flaws could become ‘ghost’ users capable of joining a meeting without being detected as IBM researchers discovered while analyzing Cisco’s collaboration tool for vulnerabilities.

‘Ghost’ users are meeting participants that can’t be seen in the user list and were not invited to the meeting, but they can hear, speak, and share media within the meeting.

The three bugs also enabled attackers to remain in the Webex meeting and maintain a bidirectional audio connection even after admins would remove them and access Webex users’ information like email addresses and IP addresses from the meeting room lobby.

The vulnerabilities exist in the Cisco Webex Meetings and Cisco Webex Meetings Server, and they “work by exploiting the handshake process that Webex uses to establish a connection between meeting participants.”

Also Read: Contract for Service Template: 5 Important Sections

When successfully exploited, IBM researchers said that the bugs would have allowed attackers to:

• Join a Webex meeting as a ghost without being seen on the participant list with full access to audio, video, chat, and screen sharing capabilities (CVE-2020-3419)
• Stay in a Webex meeting as a ghost after being expelled from it, maintaining audio connection (CVE-2020-3471)
• Gain access to information on meeting attendees – including full names, email addresses, and IP addresses – from the meeting room lobby, even without being admitted to the call (CVE-2020-3441)

Security updates available

The researchers were able to successfully demonstrate attacks abusing these Webex bugs on Windows, macOS, and the iOS version of Webex Meetings applications and Webex Room Kit appliance.

Cisco has addressed the vulnerabilities by patching cloud-based Cisco Webex Meetings sites and releasing security updates for on-premises software such as the Cisco Webex Meetings mobile app and the Cisco Webex Meetings Server software.

Users are advised to immediately update to the latest Webex version to secure meetings from attackers that would attempt to exploit them and join as ghost users.

IBM’s research team has also made a video demo with vulnerability details and tips on what Webex Meetings can do to protect themselves from attacks.

Cisco has also addressed multiple critical vulnerabilities in its Cisco IoT Field Network Director (CVE-2020-3531), Cisco DNA Spaces Connector (CVE-2020-3586), Cisco Integrated Management Controller (CVE-2020-3470) products.

Following successful exploitation, unauthenticated remote attackers could execute arbitrary commands (with root privileges in some cases) and access the back-end database of compromised systems.

Also Read: Letter of Consent MOM: Getting the Details Right